Package | system.web.auth |
---|---|
Inheritance | class CDbAuthManager » CAuthManager » CApplicationComponent » CComponent |
Implements | IAuthManager, IApplicationComponent |
Since | 1.0 |
Version | $Id$ |
Source Code | framework/web/auth/CDbAuthManager.php |
Property | Type | Description | Defined By |
---|---|---|---|
assignmentTable | string | the name of the table storing authorization item assignments. | CDbAuthManager |
authItems | array | Returns the authorization items of the specific type and user. | CDbAuthManager |
behaviors | array | the behaviors that should be attached to this component. | CApplicationComponent |
connectionID | string | the ID of the CDbConnection application component. | CDbAuthManager |
db | CDbConnection | the database connection. | CDbAuthManager |
defaultRoles | array | list of role names that are assigned to all users implicitly. | CAuthManager |
isInitialized | boolean | whether this application component has been initialized (i.e., init() is invoked. | CApplicationComponent |
itemChildTable | string | the name of the table storing authorization item hierarchy. | CDbAuthManager |
itemTable | string | the name of the table storing authorization items. | CDbAuthManager |
operations | array | Returns operations. | CAuthManager |
roles | array | Returns roles. | CAuthManager |
tasks | array | Returns tasks. | CAuthManager |
Property | Type | Description | Defined By |
---|---|---|---|
dbConnection | CDbConnection | the DB connection instance | CDbAuthManager |
Method | Description | Defined By |
---|---|---|
__call() | Calls the named method which is not a class method. | CComponent |
__destruct() | Destructor. | CDbAuthManager |
__get() | Returns a property value, an event handler list or a behavior based on its name. | CComponent |
__isset() | Checks if a property value is null. | CComponent |
__set() | Sets value of a component property. | CComponent |
__unset() | Sets a component property to be null. | CComponent |
addItemChild() | Adds an item as a child of another item. | CDbAuthManager |
asa() | Returns the named behavior object. | CComponent |
assign() | Assigns an authorization item to a user. | CDbAuthManager |
attachBehavior() | Attaches a behavior to this component. | CComponent |
attachBehaviors() | Attaches a list of behaviors to the component. | CComponent |
attachEventHandler() | Attaches an event handler to an event. | CComponent |
canGetProperty() | Determines whether a property can be read. | CComponent |
canSetProperty() | Determines whether a property can be set. | CComponent |
checkAccess() | Performs access check for the specified user. | CDbAuthManager |
clearAll() | Removes all authorization data. | CDbAuthManager |
clearAuthAssignments() | Removes all authorization assignments. | CDbAuthManager |
createAuthItem() | Creates an authorization item. | CDbAuthManager |
createOperation() | Creates an operation. | CAuthManager |
createRole() | Creates a role. | CAuthManager |
createTask() | Creates a task. | CAuthManager |
detachBehavior() | Detaches a behavior from the component. | CComponent |
detachBehaviors() | Detaches all behaviors from the component. | CComponent |
detachEventHandler() | Detaches an existing event handler. | CComponent |
disableBehavior() | Disables an attached behavior. | CComponent |
disableBehaviors() | Disables all behaviors attached to this component. | CComponent |
enableBehavior() | Enables an attached behavior. | CComponent |
enableBehaviors() | Enables all behaviors attached to this component. | CComponent |
executeBizRule() | Executes the specified business rule. | CAuthManager |
getAuthAssignment() | Returns the item assignment information. | CDbAuthManager |
getAuthAssignments() | Returns the item assignments for the specified user. | CDbAuthManager |
getAuthItem() | Returns the authorization item with the specified name. | CDbAuthManager |
getAuthItems() | Returns the authorization items of the specific type and user. | CDbAuthManager |
getEventHandlers() | Returns the list of attached event handlers for an event. | CComponent |
getIsInitialized() | Checks whether this application component has been initialized (i.e., init() is invoked.) | CApplicationComponent |
getItemChildren() | Returns the children of the specified item. | CDbAuthManager |
getOperations() | Returns operations. | CAuthManager |
getRoles() | Returns roles. | CAuthManager |
getTasks() | Returns tasks. | CAuthManager |
hasEvent() | Determines whether an event is defined. | CComponent |
hasEventHandler() | Checks whether the named event has attached handlers. | CComponent |
hasItemChild() | Returns a value indicating whether a child exists within a parent. | CDbAuthManager |
hasProperty() | Determines whether a property is defined. | CComponent |
init() | Initializes the application component. | CDbAuthManager |
isAssigned() | Returns a value indicating whether the item has been assigned to the user. | CDbAuthManager |
raiseEvent() | Raises an event. | CComponent |
removeAuthItem() | Removes the specified authorization item. | CDbAuthManager |
removeItemChild() | Removes a child from its parent. | CDbAuthManager |
revoke() | Revokes an authorization assignment from a user. | CDbAuthManager |
save() | Saves the authorization data to persistent storage. | CDbAuthManager |
saveAuthAssignment() | Saves the changes to an authorization assignment. | CDbAuthManager |
saveAuthItem() | Saves an authorization item to persistent storage. | CDbAuthManager |
Method | Description | Defined By |
---|---|---|
checkDefaultRoles() | Checks the access based on the default roles as declared in defaultRoles. | CDbAuthManager |
checkItemChildType() | Checks the item types to make sure a child can be added to a parent. | CAuthManager |
detectLoop() | Checks whether there is a loop in the authorization item hierarchy. | CDbAuthManager |
getDbConnection() | Returns the DB connection instance | CDbAuthManager |
usingSqlite() | CDbAuthManager |
the name of the table storing authorization item assignments. Defaults to 'AuthAssignment'.
Returns the authorization items of the specific type and user.
the ID of the CDbConnection application component. Defaults to 'db'. The database must have the tables as declared in "framework/web/auth/schema.sql".
the database connection. By default, this is initialized automatically as the application component whose ID is indicated as connectionID.
the DB connection instance
the name of the table storing authorization item hierarchy. Defaults to 'AuthItemChild'.
the name of the table storing authorization items. Defaults to 'AuthItem'.
public void __destruct()
|
public function __destruct()
{
if($this->db!==null)
$this->db->setActive(false);
}
Destructor. Disconnect the db connection.
public void addItemChild(string $itemName, string $childName)
| ||
$itemName | string | the parent item name |
$childName | string | the child item name |
public function addItemChild($itemName,$childName)
{
if($itemName===$childName)
throw new CException(Yii::t('yii','Cannot add "{name}" as a child of itself.',
array('{name}'=>$itemName)));
$sql="SELECT * FROM {$this->itemTable} WHERE name=:name1 OR name=:name2";
$command=$this->db->createCommand($sql);
$command->bindValue(':name1',$itemName);
$command->bindValue(':name2',$childName);
$rows=$command->queryAll();
if(count($rows)==2)
{
static $types=array('operation','task','role');
if($rows[0]['name']===$itemName)
{
$parentType=$rows[0]['type'];
$childType=$rows[1]['type'];
}
else
{
$childType=$rows[0]['type'];
$parentType=$rows[1]['type'];
}
$this->checkItemChildType($parentType,$childType);
if($this->detectLoop($itemName,$childName))
throw new CException(Yii::t('yii','Cannot add "{child}" as a child of "{name}". A loop has been detected.',
array('{child}'=>$childName,'{name}'=>$itemName)));
$sql="INSERT INTO {$this->itemChildTable} (parent,child) VALUES (:parent,:child)";
$command=$this->db->createCommand($sql);
$command->bindValue(':parent',$itemName);
$command->bindValue(':child',$childName);
$command->execute();
}
else
throw new CException(Yii::t('yii','Either "{parent}" or "{child}" does not exist.',array('{child}'=>$childName,'{parent}'=>$itemName)));
}
Adds an item as a child of another item.
public CAuthAssignment assign(string $itemName, mixed $userId, string $bizRule=NULL, mixed $data=NULL)
| ||
$itemName | string | the item name |
$userId | mixed | the user ID (see IWebUser::getId) |
$bizRule | string | the business rule to be executed when checkAccess is called for this particular authorization item. |
$data | mixed | additional data associated with this assignment |
{return} | CAuthAssignment | the authorization assignment information. |
public function assign($itemName,$userId,$bizRule=null,$data=null)
{
if($this->usingSqlite() && $this->getAuthItem($itemName)===null)
throw new CException(Yii::t('yii','The item "{name}" does not exist.',array('{name}'=>$itemName)));
$sql="INSERT INTO {$this->assignmentTable} (itemname,userid,bizrule,data) VALUES (:itemname,:userid,:bizrule,:data)";
$command=$this->db->createCommand($sql);
$command->bindValue(':itemname',$itemName);
$command->bindValue(':userid',$userId);
$command->bindValue(':bizrule',$bizRule);
$command->bindValue(':data',serialize($data));
$command->execute();
return new CAuthAssignment($this,$itemName,$userId,$bizRule,$data);
}
Assigns an authorization item to a user.
public boolean checkAccess(string $itemName, mixed $userId, array $params=array (
))
| ||
$itemName | string | the name of the operation that need access check |
$userId | mixed | the user ID. This should can be either an integer and a string representing the unique identifier of a user. See IWebUser::getId. |
$params | array | name-value pairs that would be passed to biz rules associated with the tasks and roles assigned to the user. |
{return} | boolean | whether the operations can be performed by the user. |
public function checkAccess($itemName,$userId,$params=array())
{
if(!empty($this->defaultRoles) && $this->checkDefaultRoles($itemName,$params))
return true;
$sql="SELECT name, type, description, t1.bizrule, t1.data, t2.bizrule AS bizrule2, t2.data AS data2 FROM {$this->itemTable} t1, {$this->assignmentTable} t2 WHERE name=itemname AND userid=:userid";
$command=$this->db->createCommand($sql);
$command->bindValue(':userid',$userId);
// check directly assigned items
$names=array();
foreach($command->queryAll() as $row)
{
Yii::trace('Checking permission "'.$row['name'].'"','system.web.auth.CDbAuthManager');
if($this->executeBizRule($row['bizrule2'],$params,unserialize($row['data2']))
&& $this->executeBizRule($row['bizrule'],$params,unserialize($row['data'])))
{
if($row['name']===$itemName)
return true;
$names[]=$row['name'];
}
}
// check all descendant items
while($names!==array())
{
$items=$this->getItemChildren($names);
$names=array();
foreach($items as $item)
{
Yii::trace('Checking permission "'.$item->getName().'"','system.web.auth.CDbAuthManager');
if($this->executeBizRule($item->getBizRule(),$params,$item->getData()))
{
if($item->getName()===$itemName)
return true;
$names[]=$item->getName();
}
}
}
return false;
}
Performs access check for the specified user.
protected boolean checkDefaultRoles(string $itemName, array $params)
| ||
$itemName | string | the name of the operation that need access check |
$params | array | name-value pairs that would be passed to biz rules associated with the tasks and roles assigned to the user. |
{return} | boolean | whether the operations can be performed by the user according to the default roles. |
protected function checkDefaultRoles($itemName,$params)
{
$names=array();
foreach($this->defaultRoles as $role)
{
if(is_string($role))
$names[]=$this->db->quoteValue($role);
else
$names[]=$role;
}
if(count($names)<4)
$condition='name='.implode(' OR name=',$names);
else
$condition='name IN ('.implode(', ',$names).')';
$sql="SELECT name, type, description, bizrule, data FROM {$this->itemTable} WHERE $condition";
$command=$this->db->createCommand($sql);
$rows=$command->queryAll();
foreach($rows as $row)
{
Yii::trace('Checking default role "'.$row['name'].'"','system.web.auth.CDbAuthManager');
$item=new CAuthItem($this,$row['name'],$row['type'],$row['description'],$row['bizrule'],unserialize($row['data']));
if($item->checkAccess($itemName,$params))
return true;
}
return false;
}
Checks the access based on the default roles as declared in defaultRoles.
public void clearAll()
|
public function clearAll()
{
$this->clearAuthAssignments();
$this->db->createCommand("DELETE FROM {$this->itemChildTable}")->execute();
$this->db->createCommand("DELETE FROM {$this->itemTable}")->execute();
}
Removes all authorization data.
public void clearAuthAssignments()
|
public function clearAuthAssignments()
{
$this->db->createCommand("DELETE FROM {$this->assignmentTable}")->execute();
}
Removes all authorization assignments.
public CAuthItem createAuthItem(string $name, integer $type, string $description='', string $bizRule=NULL, mixed $data=NULL)
| ||
$name | string | the item name. This must be a unique identifier. |
$type | integer | the item type (0: operation, 1: task, 2: role). |
$description | string | description of the item |
$bizRule | string | business rule associated with the item. This is a piece of PHP code that will be executed when checkAccess is called for the item. |
$data | mixed | additional data associated with the item. |
{return} | CAuthItem | the authorization item |
public function createAuthItem($name,$type,$description='',$bizRule=null,$data=null)
{
$sql="INSERT INTO {$this->itemTable} (name,type,description,bizrule,data) VALUES (:name,:type,:description,:bizrule,:data)";
$command=$this->db->createCommand($sql);
$command->bindValue(':type',$type);
$command->bindValue(':name',$name);
$command->bindValue(':description',$description);
$command->bindValue(':bizrule',$bizRule);
$command->bindValue(':data',serialize($data));
$command->execute();
return new CAuthItem($this,$name,$type,$description,$bizRule,$data);
}
Creates an authorization item. An authorization item represents an action permission (e.g. creating a post). It has three types: operation, task and role. Authorization items form a hierarchy. Higher level items inheirt permissions representing by lower level items.
protected boolean detectLoop(string $itemName, string $childName)
| ||
$itemName | string | parent item name |
$childName | string | the name of the child item that is to be added to the hierarchy |
{return} | boolean | whether a loop exists |
protected function detectLoop($itemName,$childName)
{
if($childName===$itemName)
return true;
foreach($this->getItemChildren($childName) as $child)
{
if($this->detectLoop($itemName,$child->getName()))
return true;
}
return false;
}
Checks whether there is a loop in the authorization item hierarchy.
public CAuthAssignment getAuthAssignment(string $itemName, mixed $userId)
| ||
$itemName | string | the item name |
$userId | mixed | the user ID (see IWebUser::getId) |
{return} | CAuthAssignment | the item assignment information. Null is returned if the item is not assigned to the user. |
public function getAuthAssignment($itemName,$userId)
{
$sql="SELECT * FROM {$this->assignmentTable} WHERE itemname=:itemname AND userid=:userid";
$command=$this->db->createCommand($sql);
$command->bindValue(':itemname',$itemName);
$command->bindValue(':userid',$userId);
if(($row=$command->queryRow($sql))!==false)
return new CAuthAssignment($this,$row['itemname'],$row['userid'],$row['bizrule'],unserialize($row['data']));
else
return null;
}
Returns the item assignment information.
public array getAuthAssignments(mixed $userId)
| ||
$userId | mixed | the user ID (see IWebUser::getId) |
{return} | array | the item assignment information for the user. An empty array will be returned if there is no item assigned to the user. |
public function getAuthAssignments($userId)
{
$sql="SELECT * FROM {$this->assignmentTable} WHERE userid=:userid";
$command=$this->db->createCommand($sql);
$command->bindValue(':userid',$userId);
$assignments=array();
foreach($command->queryAll($sql) as $row)
$assignments[$row['itemname']]=new CAuthAssignment($this,$row['itemname'],$row['userid'],$row['bizrule'],unserialize($row['data']));
return $assignments;
}
Returns the item assignments for the specified user.
public CAuthItem getAuthItem(string $name)
| ||
$name | string | the name of the item |
{return} | CAuthItem | the authorization item. Null if the item cannot be found. |
public function getAuthItem($name)
{
$sql="SELECT * FROM {$this->itemTable} WHERE name=:name";
$command=$this->db->createCommand($sql);
$command->bindValue(':name',$name);
if(($row=$command->queryRow())!==false)
return new CAuthItem($this,$row['name'],$row['type'],$row['description'],$row['bizrule'],unserialize($row['data']));
else
return null;
}
Returns the authorization item with the specified name.
public array getAuthItems(integer $type=NULL, mixed $userId=NULL)
| ||
$type | integer | the item type (0: operation, 1: task, 2: role). Defaults to null, meaning returning all items regardless of their type. |
$userId | mixed | the user ID. Defaults to null, meaning returning all items even if they are not assigned to a user. |
{return} | array | the authorization items of the specific type. |
public function getAuthItems($type=null,$userId=null)
{
if($type===null && $userId===null)
{
$sql="SELECT * FROM {$this->itemTable}";
$command=$this->db->createCommand($sql);
}
else if($userId===null)
{
$sql="SELECT * FROM {$this->itemTable} WHERE type=:type";
$command=$this->db->createCommand($sql);
$command->bindValue(':type',$type);
}
else if($type===null)
{
$sql="SELECT name,type,description,t1.bizrule,t1.data
FROM {$this->itemTable} t1, {$this->assignmentTable} t2
WHERE name=itemname AND userid=:userid";
$command=$this->db->createCommand($sql);
$command->bindValue(':userid',$userId);
}
else
{
$sql="SELECT name,type,description,t1.bizrule,t1.data
FROM {$this->itemTable} t1, {$this->assignmentTable} t2
WHERE name=itemname AND type=:type AND userid=:userid";
$command=$this->db->createCommand($sql);
$command->bindValue(':type',$type);
$command->bindValue(':userid',$userId);
}
$items=array();
foreach($command->queryAll() as $row)
$items[$row['name']]=new CAuthItem($this,$row['name'],$row['type'],$row['description'],$row['bizrule'],unserialize($row['data']));
return $items;
}
Returns the authorization items of the specific type and user.
protected CDbConnection getDbConnection()
| ||
{return} | CDbConnection | the DB connection instance |
protected function getDbConnection()
{
if($this->db!==null)
return $this->db;
else if(($this->db=Yii::app()->getComponent($this->connectionID)) instanceof CDbConnection)
return $this->db;
else
throw new CException(Yii::t('yii','CDbAuthManager.connectionID "{id}" is invalid. Please make sure it refers to the ID of a CDbConnection application component.',
array('{id}'=>$this->connectionID)));
}
public array getItemChildren(mixed $names)
| ||
$names | mixed | the parent item name. This can be either a string or an array. The latter represents a list of item names (available since version 1.0.5). |
{return} | array | all child items of the parent |
public function getItemChildren($names)
{
if(is_string($names))
$condition='parent='.$this->db->quoteValue($names);
else if(is_array($names) && $names!==array())
{
foreach($names as &$name)
$name=$this->db->quoteValue($name);
$condition='parent IN ('.implode(', ',$names).')';
}
$sql="SELECT name, type, description, bizrule, data FROM {$this->itemTable}, {$this->itemChildTable} WHERE $condition AND name=child";
$children=array();
foreach($this->db->createCommand($sql)->queryAll() as $row)
$children[$row['name']]=new CAuthItem($this,$row['name'],$row['type'],$row['description'],$row['bizrule'],unserialize($row['data']));
return $children;
}
Returns the children of the specified item.
public boolean hasItemChild(string $itemName, string $childName)
| ||
$itemName | string | the parent item name |
$childName | string | the child item name |
{return} | boolean | whether the child exists |
public function hasItemChild($itemName,$childName)
{
$sql="SELECT parent FROM {$this->itemChildTable} WHERE parent=:parent AND child=:child";
$command=$this->db->createCommand($sql);
$command->bindValue(':parent',$itemName);
$command->bindValue(':child',$childName);
return $command->queryScalar()!==false;
}
Returns a value indicating whether a child exists within a parent.
public void init()
|
public function init()
{
parent::init();
$this->getDbConnection()->setActive(true);
$this->_usingSqlite=!strncmp($this->getDbConnection()->getDriverName(),'sqlite',6);
}
Initializes the application component. This method overrides the parent implementation by establishing the database connection.
public boolean isAssigned(string $itemName, mixed $userId)
| ||
$itemName | string | the item name |
$userId | mixed | the user ID (see IWebUser::getId) |
{return} | boolean | whether the item has been assigned to the user. |
public function isAssigned($itemName,$userId)
{
$sql="SELECT itemname FROM {$this->assignmentTable} WHERE itemname=:itemname AND userid=:userid";
$command=$this->db->createCommand($sql);
$command->bindValue(':itemname',$itemName);
$command->bindValue(':userid',$userId);
return $command->queryScalar()!==false;
}
Returns a value indicating whether the item has been assigned to the user.
public boolean removeAuthItem(string $name)
| ||
$name | string | the name of the item to be removed |
{return} | boolean | whether the item exists in the storage and has been removed |
public function removeAuthItem($name)
{
if($this->usingSqlite())
{
$sql="DELETE FROM {$this->itemChildTable} WHERE parent=:name1 OR child=:name2";
$command=$this->db->createCommand($sql);
$command->bindValue(':name1',$name);
$command->bindValue(':name2',$name);
$command->execute();
$sql="DELETE FROM {$this->assignmentTable} WHERE itemname=:name";
$command=$this->db->createCommand($sql);
$command->bindValue(':name',$name);
$command->execute();
}
$sql="DELETE FROM {$this->itemTable} WHERE name=:name";
$command=$this->db->createCommand($sql);
$command->bindValue(':name',$name);
return $command->execute()>0;
}
Removes the specified authorization item.
public boolean removeItemChild(string $itemName, string $childName)
| ||
$itemName | string | the parent item name |
$childName | string | the child item name |
{return} | boolean | whether the removal is successful |
public function removeItemChild($itemName,$childName)
{
$sql="DELETE FROM {$this->itemChildTable} WHERE parent=:parent AND child=:child";
$command=$this->db->createCommand($sql);
$command->bindValue(':parent',$itemName);
$command->bindValue(':child',$childName);
return $command->execute()>0;
}
Removes a child from its parent. Note, the child item is not deleted. Only the parent-child relationship is removed.
public boolean revoke(string $itemName, mixed $userId)
| ||
$itemName | string | the item name |
$userId | mixed | the user ID (see IWebUser::getId) |
{return} | boolean | whether removal is successful |
public function revoke($itemName,$userId)
{
$sql="DELETE FROM {$this->assignmentTable} WHERE itemname=:itemname AND userid=:userid";
$command=$this->db->createCommand($sql);
$command->bindValue(':itemname',$itemName);
$command->bindValue(':userid',$userId);
return $command->execute()>0;
}
Revokes an authorization assignment from a user.
public void save()
|
Saves the authorization data to persistent storage.
public void saveAuthAssignment(CAuthAssignment $assignment)
| ||
$assignment | CAuthAssignment | the assignment that has been changed. |
public function saveAuthAssignment($assignment)
{
$sql="UPDATE {$this->assignmentTable} SET bizrule=:bizrule, data=:data WHERE itemname=:itemname AND userid=:userid";
$command=$this->db->createCommand($sql);
$command->bindValue(':bizrule',$assignment->getBizRule());
$command->bindValue(':data',serialize($assignment->getData()));
$command->bindValue(':itemname',$assignment->getItemName());
$command->bindValue(':userid',$assignment->getUserId());
$command->execute();
}
Saves the changes to an authorization assignment.
public void saveAuthItem(CAuthItem $item, string $oldName=NULL)
| ||
$item | CAuthItem | the item to be saved. |
$oldName | string | the old item name. If null, it means the item name is not changed. |
public function saveAuthItem($item,$oldName=null)
{
if($this->usingSqlite() && $oldName!==null && $item->getName()!==$oldName)
{
$sql="UPDATE {$this->itemChildTable} SET parent=:newName WHERE parent=:name";
$command=$this->db->createCommand($sql);
$command->bindValue(':name',$oldName);
$command->bindValue(':newName',$item->getName());
$command->execute();
$sql="UPDATE {$this->itemChildTable} SET child=:newName WHERE child=:name";
$command=$this->db->createCommand($sql);
$command->bindValue(':name',$oldName);
$command->bindValue(':newName',$item->getName());
$command->execute();
$sql="UPDATE {$this->assignmentTable} SET itemname=:newName WHERE itemname=:name";
$command=$this->db->createCommand($sql);
$command->bindValue(':name',$oldName);
$command->bindValue(':newName',$item->getName());
$command->execute();
}
$sql="UPDATE {$this->itemTable} SET name=:newName, type=:type, description=:description, bizrule=:bizrule, data=:data WHERE name=:name";
$command=$this->db->createCommand($sql);
$command->bindValue(':type',$item->getType());
$command->bindValue(':name',$oldName===null?$item->getName():$oldName);
$command->bindValue(':newName',$item->getName());
$command->bindValue(':description',$item->getDescription());
$command->bindValue(':bizrule',$item->getBizRule());
$command->bindValue(':data',serialize($item->getData()));
$command->execute();
}
Saves an authorization item to persistent storage.
protected boolean usingSqlite()
| ||
{return} | boolean | whether the database is a SQLite database |
protected function usingSqlite()
{
return $this->_usingSqlite;
}
Signup or Login in order to comment.